diff options
author | Ludovic Courtès <ludo@gnu.org> | 2015-02-04 21:58:15 +0100 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2015-02-04 22:49:35 +0100 |
commit | 996ed73948e92eb2005a2a282856753d707f452c (patch) | |
tree | 3dd45afdbbb22c01652cd2df9b7b61742440c6ab | |
parent | ffd74de0c6de7435fcdc8e340efade032c365081 (diff) |
system: Add bindings to configure libc's NSS.
* gnu/system/nss.scm: New file.
* gnu-system.am (GNU_SYSTEM_MODULES): Add it.
* gnu.scm (%public-modules): Add it.
* gnu/system.scm (<operating-system>)[name-service-switch]: New field.
(etc-directory): Add #:nss parameter and honor it.
(operating-system-etc-directory): Adjust call accordingly.
* doc/guix.texi (operating-system Reference): Document
'name-service-switch'.
(Name Service Switch): New section.
-rw-r--r-- | doc/guix.texi | 116 | ||||
-rw-r--r-- | gnu-system.am | 1 | ||||
-rw-r--r-- | gnu.scm | 3 | ||||
-rw-r--r-- | gnu/system.scm | 10 | ||||
-rw-r--r-- | gnu/system/nss.scm | 213 |
5 files changed, 338 insertions, 5 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index fa3aa6d66d..e489d414bc 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -142,6 +142,7 @@ System Configuration * Locales:: Language and cultural convention settings. * Services:: Specifying system services. * Setuid Programs:: Programs running with root privileges. +* Name Service Switch:: Configuring libc's name service switch. * Initial RAM Disk:: Linux-Libre bootstrapping. * GRUB Configuration:: Configuring the boot loader. * Invoking guix system:: Instantiating a system configuration. @@ -3642,6 +3643,7 @@ instance to support new system services. * Locales:: Language and cultural convention settings. * Services:: Specifying system services. * Setuid Programs:: Programs running with root privileges. +* Name Service Switch:: Configuring libc's name service switch. * Initial RAM Disk:: Linux-Libre bootstrapping. * GRUB Configuration:: Configuring the boot loader. * Invoking guix system:: Instantiating a system configuration. @@ -3827,6 +3829,11 @@ Library Reference Manual}). @xref{Locales}, for more information. The list of locale definitions to be compiled and that may be used at run time. @xref{Locales}. +@item @code{name-service-switch} (default: @var{%default-nss}) +Configuration of libc's name service switch (NSS)---a +@code{<name-service-switch>} object. @xref{Name Service Switch}, for +details. + @item @code{services} (default: @var{%base-services}) A list of monadic values denoting system services. @xref{Services}. @@ -4648,6 +4655,115 @@ Under the hood, the actual setuid programs are created in the files in this directory refer to the ``real'' binaries, which are in the store. +@node Name Service Switch +@subsection Name Service Switch + +@cindex name service switch +@cindex NSS +The @code{(gnu system nss)} module provides bindings to the +configuration file of libc's @dfn{name service switch} or @dfn{NSS} +(@pxref{NSS Configuration File,,, libc, The GNU C Library Reference +Manual}). In a nutshell, the NSS is a mechanism that allows libc to be +extended with new ``name'' lookup methods for system databases, which +includes host names, service names, user accounts, and more (@pxref{Name +Service Switch, System Databases and Name Service Switch,, libc, The GNU +C Library Reference Manual}). + +The NSS configuration specifies, for each system database, which lookup +method is to be used, and how the various methods are chained +together---for instance, under which circumstances NSS should try the +next method in the list. The NSS configuration is given in the +@code{name-service-switch} field of @code{operating-system} declarations +(@pxref{operating-system Reference, @code{name-service-switch}}). + +@c See <http://0pointer.de/lennart/projects/nss-mdns/>. +As an example, the declaration below configures the NSS to use the +@code{nss-mdns} back-end for host name lookups: + +@example +(name-service-switch + (hosts (list %files ;first, check /etc/hosts + + ;; If the above did not succeed, try + ;; with 'mdns_minimal'. + (name-service + (name "mdns_minimal") + + ;; 'mdns_minimal' is authoritative for + ;; '.local'. When it returns "not found", + ;; no need to try the next methods. + (reaction (lookup-specification + (not-found => return)))) + + ;; Then fall back to DNS. + (name-service + (name "dns")) + + ;; Finally, try with the "full" 'mdns'. + (name-service + (name "mdns"))))) +@end example + +The reference for name service switch configuration is given below. It +is a direct mapping of the C library's configuration file format, so +please refer to the C library manual for more information (@pxref{NSS +Configuration File,,, libc, The GNU C Library Reference Manual}). +Compared to libc's NSS configuration file format, it has the advantage +not only of adding this warm parenthetic feel that we like, but also +static checks: you'll know about syntax errors and typos as soon as you +run @command{guix system}. + +@defvr {Scheme Variable} %default-nss +This is the default name service switch configuration, a +@code{name-service-switch} object. +@end defvr + +@deftp {Data Type} name-service-switch + +This is the data type representation the configuration of libc's name +service switch (NSS). Each field below represents one of the supported +system databases. + +@table @code +@item aliases +@itemx ethers +@itemx group +@itemx gshadow +@itemx hosts +@itemx initgroups +@itemx netgroup +@itemx networks +@itemx password +@itemx public-key +@itemx rpc +@itemx services +@itemx shadow +The system databases handled by the NSS. Each of these fields must be a +list of @code{<name-service>} objects (see below.) +@end table +@end deftp + +@deftp {Data Type} name-service + +This is the data type representing an actual name service and the +associated lookup action. + +@table @code +@item name +A string denoting the name service (@pxref{Services in the NSS +configuration,,, libc, The GNU C Library Reference Manual}). + +@item reaction +An action specified using the @code{lookup-specification} macro +(@pxref{Actions in the NSS configuration,,, libc, The GNU C Library +Reference Manual}). For example: + +@example +(lookup-specification (unavailable => continue) + (success => return)) +@end example +@end table +@end deftp @node Initial RAM Disk @subsection Initial RAM Disk diff --git a/gnu-system.am b/gnu-system.am index f9abc97fb1..ae4799379e 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -316,6 +316,7 @@ GNU_SYSTEM_MODULES = \ gnu/system/linux.scm \ gnu/system/linux-initrd.scm \ gnu/system/locale.scm \ + gnu/system/nss.scm \ gnu/system/shadow.scm \ gnu/system/vm.scm \ \ @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2014 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2014, 2015 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2015 Joshua S. Grant <jgrant@parenthetical.io> ;;; ;;; This file is part of GNU Guix. @@ -37,6 +37,7 @@ (gnu system linux) ; 'base-pam-services' (gnu system shadow) ; 'user-account' (gnu system linux-initrd) + (gnu system nss) (gnu services) (gnu services base) (gnu packages) diff --git a/gnu/system.scm b/gnu/system.scm index b3c5cd8038..3fe78339b7 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -47,6 +47,7 @@ #:use-module (gnu services base) #:use-module (gnu system grub) #:use-module (gnu system shadow) + #:use-module (gnu system nss) #:use-module (gnu system locale) #:use-module (gnu system linux) #:use-module (gnu system linux-initrd) @@ -137,6 +138,8 @@ (default "en_US.utf8")) (locale-definitions operating-system-locale-definitions ; list of <locale-definition> (default %default-locale-definitions)) + (name-service-switch operating-system-name-service-switch ; <name-service-switch> + (default %default-nss)) (services operating-system-user-services ; list of monadic services (default %base-services)) @@ -408,7 +411,7 @@ settings for 'guix.el' to work out-of-the-box." (skeletons '()) (pam-services '()) (profile "/run/current-system/profile") - hosts-file + hosts-file nss (sudoers "")) "Return a derivation that builds the static part of the /etc directory." (mlet* %store-monad @@ -422,10 +425,8 @@ settings for 'guix.el' to work out-of-the-box." /run/current-system/profile/bin/bash\n")) (emacs (emacs-site-directory)) (issue (text-file "issue" issue)) - - ;; For now, generate a basic config so that /etc/hosts is honored. (nsswitch (text-file "nsswitch.conf" - "hosts: files dns\n")) + (name-service-switch->string nss))) ;; Startup file for POSIX-compliant login shells, which set system-wide ;; environment variables. @@ -518,6 +519,7 @@ export ASPELL_CONF=\"dict-dir $HOME/.guix-profile/lib/aspell\" #:skeletons skeletons #:issue (operating-system-issue os) #:locale (operating-system-locale os) + #:nss (operating-system-name-service-switch os) #:timezone (operating-system-timezone os) #:hosts-file /etc/hosts #:sudoers (operating-system-sudoers os) diff --git a/gnu/system/nss.scm b/gnu/system/nss.scm new file mode 100644 index 0000000000..ec2d2517e7 --- /dev/null +++ b/gnu/system/nss.scm @@ -0,0 +1,213 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org> +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. + +(define-module (gnu system nss) + #:use-module (rnrs enums) + #:use-module (guix records) + #:use-module (srfi srfi-9) + #:use-module (ice-9 match) + #:export (name-service-switch? + name-service-switch + name-service? + name-service + + lookup-specification + + %default-nss + %files + %compat + %dns + + name-service-switch->string)) + +;;; Commentary: +;;; +;;; Bindings for libc's name service switch (NSS) configuration. +;;; +;;; Code: + +(define-record-type* <name-service> name-service + make-name-service + name-service? + (name name-service-name) + (reaction name-service-reaction + (default (lookup-specification)))) + +;; Lookup specification (info "(libc) Actions in the NSS Configuration"). + +(define-enumeration lookup-action + (return continue) + make-lookup-action) + +(define-enumeration lookup-status + (success + not-found + unavailable + try-again) + make-lookup-status) + +(define-record-type <lookup-status-negation> + (lookup-status-negation status) + lookup-status-negation? + (status lookup-status-negation-status)) + +(define-record-type <lookup-reaction> + (make-lookup-reaction status action) + lookup-reaction? + (status lookup-reaction-status) + (action lookup-reaction-action)) + +(define-syntax lookup-reaction + (syntax-rules (not =>) + ((_ ((not status) => action)) + (make-lookup-reaction (lookup-status-negation (lookup-status status)) + (lookup-action action))) + ((_ (status => action)) + (make-lookup-reaction (lookup-status status) + (lookup-action action))))) + +(define-syntax-rule (lookup-specification reaction ...) + "Return an NSS lookup specification." + (list (lookup-reaction reaction) ...)) + + +;;; +;;; Common name services and default NSS configuration. +;;; + +(define %compat + (name-service + (name "compat") + (reaction (lookup-specification (not-found => return))))) + +(define %files + (name-service (name "files"))) + +(define %dns + ;; DNS is supposed to be authoritative, so unless it's unavailable, return + ;; what it finds. + (name-service + (name "dns") + (reaction (lookup-specification ((not unavailable) => return))))) + +;; The NSS. We list all the databases here because that allows us to +;; statically ensure that the user's configuration refers to existing +;; databases. See libc/nss/databases.def for the list of databases. Default +;; values obtained by looking for "DEFAULT_CONFIG" in libc/nss/*.c. +;; +;; Although libc places 'dns' before 'files' in the default configurations of +;; the 'hosts' and 'networks' databases, we choose to put 'files' before 'dns' +;; by default, so that users can override host/address mappings in /etc/hosts +;; and bypass DNS to improve their privacy and escape NSA's MORECOWBELL. +(define-record-type* <name-service-switch> name-service-switch + make-name-service-switch + name-service-switch? + (aliases name-service-switch-aliases + (default '())) + (ethers name-service-switch-ethers + (default '())) + (group name-service-switch-group + (default (list %compat %files))) + (gshadow name-service-switch-gshadow + (default '())) + (hosts name-service-switch-hosts + (default (list %files %dns))) + (initgroups name-service-switch-initgroups + (default '())) + (netgroup name-service-switch-netgroup + (default '())) + (networks name-service-switch-networks + (default (list %files %dns))) + (password name-service-switch-password + (default (list %compat %files))) + (public-key name-service-switch-public-key + (default '())) + (rpc name-service-switch-rpc + (default '())) + (services name-service-switch-services + (default '())) + (shadow name-service-switch-shadow + (default (list %compat %files)))) + +(define %default-nss + ;; Default NSS configuration. + (name-service-switch)) + + +;;; +;;; Serialization. +;;; + +(define (lookup-status->string status) + (match status + ('success "SUCCESS") + ('not-found "NOTFOUND") + ('unavailable "UNAVAIL") + ('try-again "TRYAGAIN") + (($ <lookup-status-negation> status) + (string-append "!" (lookup-status->string status))))) + +(define lookup-reaction->string + (match-lambda + (($ <lookup-reaction> status action) + (string-append (lookup-status->string status) "=" + (symbol->string action))))) + +(define name-service->string + (match-lambda + (($ <name-service> name ()) + name) + (($ <name-service> name reactions) + (string-append name " [" + (string-join (map lookup-reaction->string reactions)) + "]")))) + +(define (name-service-switch->string nss) + "Return the 'nsswitch.conf' contents for NSS as a string. See \"NSS +Configuration File\" in the libc manual." + (let-syntax ((->string + (syntax-rules () + ((_ name field) + (match (field nss) + (() ;keep the default config + "") + ((services (... ...)) + (string-append name ":\t" + (string-join + (map name-service->string services)) + "\n"))))))) + (string-append (->string "aliases" name-service-switch-aliases) + (->string "ethers" name-service-switch-ethers) + (->string "group" name-service-switch-group) + (->string "gshadow" name-service-switch-gshadow) + (->string "hosts" name-service-switch-hosts) + (->string "initgroups" name-service-switch-initgroups) + (->string "netgroup" name-service-switch-netgroup) + (->string "networks" name-service-switch-networks) + (->string "passwd" name-service-switch-password) + (->string "publickey" name-service-switch-public-key) + (->string "rpc" name-service-switch-rpc) + (->string "services" name-service-switch-services) + (->string "shadow" name-service-switch-shadow)))) + +;;; Local Variables: +;;; eval: (put 'name-service 'scheme-indent-function 0) +;;; eval: (put 'name-service-switch 'scheme-indent-function 0) +;;; End: + +;;; nss.scm ends here |